Networked data processing systems provide several advantages over centralized data processing systems. First, distributed processing systems provide a means for efficiently executing information processing requests by system users by allocating the requests for service to a plurality of available network processing resources ("network resources"). The operating systems present at the interconnected nodes of the network cooperate to distribute workloads to readily available resources by transferring operation packets having descriptions of functions to be performed by network resources and data between many locations, referred to as nodes, in the network. Certain processes running on the network nodes, referred to hereinafter as "management servers", control the routing of data and requests for performance of functions by network resources between distinct local systems in the network running under the control of separate management servers.
Typically, processes operating on a local system (i.e. within the control of a single management server) are executed independently of network protocol. These processes are free to manipulate local data and make local decisions. However, when processes exchange information with each other over the network they communicate under the control of the network management servers.
The management servers implement network communication protocol for transferring data and requests for performance of functions by network resources between the nodes of the network. These management servers receive requests from sender nodes, place these requests on network request queues, and then forward the requests to the specified destinations according to a predetermined set of network operation rules. The rules enforced by the network management servers are determined by the network designer based upon the general and specific needs of the network. In cases where requests pass between network management servers, the transmitting network management server and the receiving network management server(s) generally must agree on an essential set of rules for communicating information.
A "management service" is a set of related processes that perform the functions specified in management operations. A management operation is a packet of information which specifies at least a function to be performed by a management service and the entity requesting performance of the function. In a networked data processing system, automated management services are provided in a de-centralized manner to large numbers of local systems in a network. Some of the nodes in the network consist of hosts for a management service. The hosts may themselves be algorithms, work stations, personal computers or other operating systems which use the services provided in the networked data processing system.
A universal database for the network maps the hosts to their designated management servers. The management servers coordinate the receipt and delivery of data and network resource requests to specified nodes according to the trusted links designated by the mapping function for each management server. A management operation is a data packet containing at least a description of the requested function to be performed by a network resource and the identity of the user who submitted the request. When a management server receives a management operation, the management server may either dispatch the management operation to a host coupled to a local service provider under the control of the management server or alternatively, the management server may transfer the operation to another management server. For example, a management server may dispatch a management operation to another management server which is coupled to a certain host and is designated to receive the operations for that particular host. This mapping function provided by the database is used for forwarding management operations from a point of origination management server, which is the point of submission of a request by a user for performance of a function by a network resource, to the designated management server for the host which, in turn, administers the management service described in the management operation.
The management servers in a network should execute system management, which includes network communication protocol, in the networked data processing system in a way that maintains the "security" of the local systems and of the communication links between the local systems. Network security has traditionally consisted of means to protect against unauthorized access to operations or data contained within the network. This type of security prevents unintentional as well as deliberate attempts to access information or network processing resources within the data processing network. Another important aspect of security is the assurance given to the sender of data or network requests that the recipient will not corrupt or make unauthorized use of the information transmitted by the sender. "Security" not only consists of restricting access to network resources, but also includes the guarantee that a data request will be handled and/or processed by an intended and reliable network resource. The network resource may, for example, be another network management server, a data storage system or a data processing system.
A "threat" to the security in a network is used herein to denote any activity which, if successful, will result in a breach of the security of the system. A threat, if not neutralized, may destroy, alter, duplicate or transmit without authorization information entrusted by a user to the network or gain access to restricted processing resources. These threats can be created by impostors or unauthorized processes operating within the network.
Prior network management security facilities depend on mechanisms that already exist in local operating systems and local network services to diminish the impact of threats to the systems in the network. Such mechanisms include passwords, access control lists, and proxies for providing a secure management environment. These protection tools adequately provide a safe environment in single management server systems. However, several problems are introduced when the system contains more than one management server and data or network requests must be transmitted between two or more management servers.
First, heterogenous management systems, i.e. ones containing local operating systems implementing inconsistent system security measures, cannot guarantee uniform protection of information transmitted between local systems in the network once the receiving management server gains control of the information. The security measures utilized by the receiving system may be inadequate or the receiving management server may in turn transfer the information to a non-secure network resource. Therefore, in a heterogenous management system, a sender must weigh the benefit of transmitting information to another system resource controlled by another management server against the possibility that the confidentiality of that information will be compromised after the receiving management server gains control of the information.
Second, some prior security mechanisms are not designed for RSM operations, and are not completely secure when used in an environment. For example, unencoded passwords may be intercepted when passed between two management servers. The interceptor may then use the password to gain unauthorized access to restricted network resources or information.
In addition, locating the source of a security breach is difficult if each local system management server possesses the capability of utilizing programming tools outside the domain of RSM to modify the security measures associated with its local operating system. In order to diagnose all weak links in the security of the network, the local security measures of each management server in the network must be reviewed. Therefore, not only are these prior art systems subject to consequences of local security breaches, the difficulty in identifying the source of the security breach increases as the size of the network becomes larger.
Therefore, known RSM security facilities which utilize local security mechanisms external to the management service may present significant problems to one wishing to maintain a secure network. Weak security measures used by a local system may not be apparent to other local operating system management servers or users who do not have information relating to the security measures adopted by the other local systems of the network. Identifying the source of a security breach is complicated in systems where non-uniform security rules are used by different local operating systems because diagnosis requires knowledge of each local system's security measures. This is a formidable task if the network consists of more than a few nodes. Furthermore, diagnosis and elimination of security threats is further complicated when local security measures may be changed outside the network operating environment by local operating systems.
Other approaches for providing security for RSM operations performed in a network environment depend on global user authentication. As an example, private-key encryption services in which keys are assigned to specific processes are frequently employed. This approach is suitable for small-scale environments, for example, in a configuration using a single management server for a limited number of host systems or when the management domains comprising a larger network environment are isolated and thus cannot be modified without permission by a network authorization procedure. However, even under these circumstances security is not guaranteed because management systems which permit the control of operations to span multiple systems are vulnerable to attack at any point where control is transferred between systems. A process on a given system may be authenticated--that is, may represent itself truthfully--but may be utilized by a hostile party impersonating an authorized user, i.e., a prior transfer of control may have been compromised. Accordingly, when multiple management servers interact to provide management services to a large-scale networked computing environment, such approaches fail to adequately address the security problem.
The desired solution to this problem is delegation which is the transfer of authenticated credentials between parties. Methods for secure and manageable delegation over a network spanning multiple systems, processes and users do not currently exist. Instead, conventional delegation relies upon forwarding authenticated credentials from one object to the next in the network. These credentials are subject to the threat of interception when passed among multiple systems.